Page 2 of 2 FirstFirst 12
Results 11 to 19 of 19

Thread: Need Help For Malware Infection

  1. #11
    Junior Member
    Join Date
    Dec 2009
    Posts
    21

    Default

    Thank you for your reply and your ongoing help. Below is the ComboFix and DDS logs you requested. I look forward to hearing from you again.

    Steve

    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

    ComboFix 10-03-29.04 - Lucia 04/01/2010 8:04.1.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.893.299 [GMT -4:00]
    Running from: c:\users\Lucia\Desktop\ComboFix.exe
    SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
    SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\$recycle.bin\S-1-5-21-1400113804-1914402855-3429530994-500
    c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
    c:\$recycle.bin\S-1-5-21-398607059-182350876-811521359-500
    c:\windows\Downloaded Program Files\popcaploader.inf
    c:\windows\Temp\0021691270049693mcinst.exe

    .
    ((((((((((((((((((((((((( Files Created from 2010-03-01 to 2010-04-01 )))))))))))))))))))))))))))))))
    .

    2010-04-01 12:34 . 2010-04-01 12:34 -------- d-----w- c:\users\Steve\AppData\Local\temp
    2010-04-01 12:34 . 2010-04-01 12:34 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-04-01 12:34 . 2010-04-01 12:34 -------- d-----w- c:\users\Guest\AppData\Local\temp
    2010-04-01 12:01 . 2010-04-01 12:02 -------- d-----w- C:\32788R22FWJFW
    2010-03-25 12:45 . 2010-03-25 12:45 -------- d-----w- c:\program files\Windows Portable Devices
    2010-03-25 12:34 . 2009-10-01 01:02 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
    2010-03-25 12:34 . 2009-10-01 01:02 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
    2010-03-25 12:34 . 2009-10-01 01:01 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
    2010-03-25 12:34 . 2009-10-01 01:01 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
    2010-03-25 12:34 . 2009-10-01 01:02 2537472 ----a-w- c:\windows\system32\wpdshext.dll
    2010-03-25 12:34 . 2009-10-01 01:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
    2010-03-25 12:34 . 2009-10-01 01:01 546816 ----a-w- c:\windows\system32\wpd_ci.dll
    2010-03-25 12:34 . 2009-10-01 01:02 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
    2010-03-25 12:34 . 2009-10-01 01:01 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
    2010-03-25 12:34 . 2009-10-01 01:01 350208 ----a-w- c:\windows\system32\WPDSp.dll
    2010-03-25 12:34 . 2009-10-01 01:01 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
    2010-03-25 12:34 . 2009-10-01 01:01 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
    2010-03-25 12:32 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
    2010-03-25 12:32 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
    2010-03-25 12:32 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
    2010-03-24 23:12 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
    2010-03-24 23:12 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2010-03-24 23:12 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
    2010-03-24 23:00 . 2010-03-24 23:00 -------- d-----w- c:\users\Guest\AppData\Roaming\Malwarebytes
    2010-03-24 22:58 . 2010-03-24 22:58 85808 ----a-w- c:\users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-03-24 22:58 . 2010-03-24 22:58 -------- d-----w- c:\users\Guest\AppData\Local\MediaDirect
    2010-03-24 22:58 . 2010-03-24 22:58 -------- d-----w- c:\users\Guest\AppData\Local\Google
    2010-03-24 22:58 . 2010-03-24 22:58 -------- d--h--w- c:\users\Guest\AppData\Roaming\GTek
    2010-03-24 22:54 . 2010-03-24 22:54 -------- d-----w- c:\users\Guest\AppData\Local\VirtualStore
    2010-03-22 03:20 . 2010-03-22 03:20 -------- d-----w- c:\windows\system32\ca-ES
    2010-03-22 03:20 . 2010-03-22 03:20 -------- d-----w- c:\windows\system32\eu-ES
    2010-03-22 03:20 . 2010-03-22 03:20 -------- d-----w- c:\windows\system32\vi-VN
    2010-03-17 03:26 . 2010-02-20 23:06 24064 ----a-w- c:\windows\system32\nshhttp.dll
    2010-03-17 03:26 . 2010-02-20 20:53 411648 ----a-w- c:\windows\system32\drivers\http.sys
    2010-03-17 03:26 . 2010-02-20 23:05 30720 ----a-w- c:\windows\system32\httpapi.dll
    2010-03-15 21:55 . 2009-12-08 20:01 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-03-15 21:55 . 2009-12-08 20:01 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-03-08 12:37 . 2010-03-08 12:37 -------- d-----w- c:\program files\ERUNT
    2010-03-08 05:06 . 2009-12-11 11:43 302080 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-03-08 05:06 . 2009-12-11 11:43 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2010-03-08 05:05 . 2010-01-23 09:26 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-03-08 05:01 . 2010-01-25 08:21 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
    2010-03-08 05:01 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc_isv.dll
    2010-03-08 05:01 . 2010-01-25 08:21 518144 ----a-w- c:\windows\system32\RMActivate.exe
    2010-03-08 05:01 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc.dll
    2010-03-08 05:01 . 2010-01-25 08:21 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
    2010-03-08 05:01 . 2010-01-25 08:21 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-04-01 11:29 . 2008-01-19 19:43 -------- d-----w- c:\program files\McAfee
    2010-03-31 16:34 . 2010-03-31 16:34 658184 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2010-03-25 12:45 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
    2010-03-25 12:44 . 2010-03-25 12:44 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
    2010-03-22 03:20 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
    2010-03-22 03:20 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
    2010-03-22 03:20 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
    2010-03-22 03:20 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
    2010-03-22 03:20 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
    2010-03-22 03:20 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
    2010-03-22 03:20 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
    2010-03-17 14:04 . 2008-02-05 00:57 1356 ----a-w- c:\users\Lucia\AppData\Local\d3d9caps.dat
    2010-03-08 11:14 . 2007-10-30 01:19 85808 ----a-w- c:\users\Lucia\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-02-24 14:16 . 2009-10-15 23:09 181632 ------w- c:\windows\system32\MpSigStub.exe
    2010-02-05 19:50 . 2010-02-05 19:50 388096 ----a-r- c:\users\Steve\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
    2010-02-05 19:50 . 2010-02-05 19:50 -------- d-----w- c:\program files\TrendMicro
    2010-02-05 19:40 . 2010-02-05 19:40 85240 ----a-w- c:\users\Steve\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-02-05 19:40 . 2010-02-05 19:40 -------- d--h--w- c:\users\Steve\AppData\Roaming\GTek
    2010-02-05 16:34 . 2010-02-05 16:34 -------- d-----w- c:\users\Lucia\AppData\Roaming\Malwarebytes
    2010-02-05 16:34 . 2010-02-05 16:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-02-05 16:34 . 2010-02-05 16:34 -------- d-----w- c:\programdata\Malwarebytes
    2010-02-03 21:18 . 2010-02-03 21:18 93056 ----a-w- C:\ugldapow.sys
    2010-01-25 12:00 . 2010-03-08 05:00 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
    2010-01-25 12:00 . 2010-03-08 05:00 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
    2010-01-25 11:58 . 2010-03-08 05:00 332288 ----a-w- c:\windows\system32\msdrm.dll
    2010-01-07 21:07 . 2010-02-05 16:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-01-07 21:07 . 2010-02-05 16:34 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-01-06 15:38 . 2010-03-24 23:12 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
    2010-01-06 15:38 . 2010-03-24 23:12 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
    2010-01-06 15:38 . 2010-03-24 23:12 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
    2010-01-06 15:38 . 2010-03-24 23:12 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
    2010-01-02 06:38 . 2010-01-27 03:06 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-01-02 06:32 . 2010-01-27 03:06 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-01-02 06:32 . 2010-01-27 03:06 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-01-02 04:57 . 2010-01-27 03:06 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2007-10-25 13:53 . 2007-10-25 13:42 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
    "ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-04-18 159744]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-21 1548288]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
    "PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
    "dscactivate"="c:\dell\dsca.exe" [2007-07-30 16384]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-10-26 30192]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
    "Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768]
    "ALUAlert"="c:\program files\Symantec\LiveUpdate\ALuNotify.exe" [2007-09-12 492912]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
    "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
    "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]
    "SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-28 405504]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-10-25 50688]
    QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2007-7-20 1180952]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ \0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "VistaSp2"=hex(b):52,2c,98,8d,6f,c9,ca,01

    R2 0021691270049693mcinstcleanup;McAfee Application Installer Cleanup (0021691270049693);c:\windows\TEMP\002169~1.EXE [x]
    R2 ATIWebPAM;ATI WebPAM;c:\program files\ATI\WebPAM\jetty\extra\win32\Wrapper.exe [2003-09-29 110592]
    R3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-10-26 30192]
    S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-09-28 73728]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder

    2009-03-15 c:\windows\Tasks\McDefragTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 16:22]

    2008-02-01 c:\windows\Tasks\McQcTask.job
    - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-21 16:22]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoomail.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-04-01 08:35
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2010-04-01 08:44:09
    ComboFix-quarantined-files.txt 2010-04-01 12:44

    Pre-Run: 66,662,301,696 bytes free
    Post-Run: 66,577,870,848 bytes free

    - - End Of File - - 4E02B663121A88E5114D556C24DF5FBA



    DDS (Ver_09-12-01.01) - NTFSx86
    Run by Lucia at 8:46:25.64 on Thu 04/01/2010
    Internet Explorer: 8.0.6001.18882
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.893.143 [GMT -4:00]

    SP: Spybot - Search and Destroy *enabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
    SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\system32\Ati2evxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\system32\Ati2evxx.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\bcmwltry.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\aestsrv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe
    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    C:\Program Files\ATI\WebPAM\_jvm\bin\java.exe
    C:\Windows\system32\STacSV.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\System32\alg.exe
    C:\Windows\system32\taskeng.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Windows\system32\Dwm.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\DellTPad\Apoint.exe
    C:\Windows\System32\WLTRAY.EXE
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Dell\MediaDirect\PCMService.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
    C:\Program Files\DellSupport\DSAgnt.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\iPod\bin\iPodService.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    C:\Program Files\DellTPad\ApMsgFwd.exe
    C:\Program Files\DellTPad\HidFind.exe
    C:\Program Files\DellTPad\Apntex.exe
    C:\Windows\servicing\TrustedInstaller.exe
    C:\Windows\system32\wuauclt.exe
    c:\program files\windows defender\MpCmdRun.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Windows\system32\notepad.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\explorer.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Users\Lucia\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.yahoomail.com/
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
    BHO: Cooliris Plug-In for Internet Explorer: {eaee5c74-6d0d-4aca-9232-0da4a7b866ba} - c:\program files\piclensie\cooliris.dll
    TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
    uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
    mRun: [Apoint] c:\program files\delltpad\Apoint.exe
    mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
    mRun: [dscactivate] c:\dell\dsca.exe 3
    mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
    mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
    mRun: [ALUAlert] c:\program files\symantec\liveupdate\ALuNotify.exe
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll
    IE: {3437D640-C91A-458f-89F5-B9095EA4C28B} - {04F93351-81D2-4484-9982-0D55DEFFFAE6} - c:\program files\piclensie\cooliris.dll
    IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} - hxxp://zone.msn.com/bingame/zpagames/zpa_hrtz.cab99160.cab
    DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
    DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    AppInit_DLLs: c:\progra~1\google\google~2\GoogleDesktopNetwork3.dll

    ============= SERVICES / DRIVERS ===============

    R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-1-19 214664]
    R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2007-10-25 73728]
    R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-9-19 359952]
    R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-9-19 144704]
    R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-1-27 1153368]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-1-19 79816]
    R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-1-19 35272]
    S2 0021691270049693mcinstcleanup;McAfee Application Installer Cleanup (0021691270049693);c:\windows\temp\002169~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\002169~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
    S2 ATIWebPAM;ATI WebPAM;c:\program files\ati\webpam\jetty\extra\win32\Wrapper.exe [2003-9-29 110592]
    S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-10-13 21504]
    S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-10-25 30192]
    S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-1-19 34248]
    S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-1-19 40552]
    S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-9-19 606736]

    =============== Created Last 30 ================

    2010-04-01 12:44:38 0 d-sh--w- C:\$RECYCLE.BIN
    2010-04-01 12:02:15 98816 ----a-w- c:\windows\sed.exe
    2010-04-01 12:02:15 77312 ----a-w- c:\windows\MBR.exe
    2010-04-01 12:02:15 261632 ----a-w- c:\windows\PEV.exe
    2010-04-01 12:02:15 161792 ----a-w- c:\windows\SWREG.exe
    2010-04-01 12:02:06 0 d-----w- C:\ComboFix
    2010-03-25 12:45:16 0 d-----w- c:\program files\Windows Portable Devices
    2010-03-25 12:44:37 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
    2010-03-25 12:34:24 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
    2010-03-25 12:32:58 4096 ----a-w- c:\windows\system32\oleaccrc.dll
    2010-03-25 12:32:58 234496 ----a-w- c:\windows\system32\oleacc.dll
    2010-03-25 12:32:57 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
    2010-03-24 23:12:43 1696256 ----a-w- c:\windows\system32\gameux.dll
    2010-03-24 23:12:41 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
    2010-03-24 23:12:41 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2010-03-22 03:20:12 0 d-----w- c:\windows\system32\eu-ES
    2010-03-22 03:20:12 0 d-----w- c:\windows\system32\ca-ES
    2010-03-22 03:20:11 0 d-----w- c:\windows\system32\vi-VN
    2010-03-17 03:26:26 24064 ----a-w- c:\windows\system32\nshhttp.dll
    2010-03-17 03:26:16 411648 ----a-w- c:\windows\system32\drivers\http.sys
    2010-03-17 03:26:15 30720 ----a-w- c:\windows\system32\httpapi.dll
    2010-03-15 21:55:39 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-03-15 21:55:38 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-03-08 05:06:01 302080 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-03-08 05:06:00 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2010-03-08 05:05:41 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-03-08 05:01:04 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
    2010-03-08 05:01:03 518144 ----a-w- c:\windows\system32\RMActivate.exe
    2010-03-08 05:01:03 471552 ----a-w- c:\windows\system32\secproc_isv.dll
    2010-03-08 05:01:02 471552 ----a-w- c:\windows\system32\secproc.dll
    2010-03-08 05:01:01 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
    2010-03-08 05:01:01 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe

    ==================== Find3M ====================

    2010-03-25 12:45:12 665600 ----a-w- c:\windows\inf\drvindex.dat
    2010-03-25 12:45:12 51200 ----a-w- c:\windows\inf\infpub.dat
    2010-03-25 12:45:11 86016 ----a-w- c:\windows\inf\infstor.dat
    2010-03-25 12:45:10 143360 ----a-w- c:\windows\inf\infstrng.dat
    2010-03-22 03:04:18 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
    2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
    2010-02-03 21:18:41 93056 ----a-w- C:\ugldapow.sys
    2010-01-25 12:00:35 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
    2010-01-25 12:00:35 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
    2010-01-25 11:58:52 332288 ----a-w- c:\windows\system32\msdrm.dll
    2010-01-02 06:38:20 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-01-02 06:32:33 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-01-02 06:32:33 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-01-02 04:57:00 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2008-11-01 16:54:40 174 --sha-w- c:\program files\desktop.ini
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
    2007-10-25 13:53:01 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

    ============= FINISH: 8:47:44.30 ===============



    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-12-01.01)

    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume3
    Install Date: 10/25/2007 2:01:47 AM
    System Uptime: 4/1/2010 7:28:02 AM (1 hours ago)

    Motherboard: Dell Inc. | | 0UK441
    Processor: AMD Athlon(tm) 64 X2 Dual-Core Processor TK-55 | Microprocessor | 1800/100mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 99 GiB total, 62.041 GiB free.
    D: is FIXED (NTFS) - 10 GiB total, 5.908 GiB free.
    E: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP207: 3/21/2010 10:52:35 PM - Windows Vista™ Service Pack 2
    RP208: 3/24/2010 7:12:17 PM - Windows Update
    RP209: 3/25/2010 8:28:13 AM - Windows Update
    RP210: 3/31/2010 11:45:30 AM - Windows Update
    RP211: 4/1/2010 7:35:45 AM - Windows Update

    ==== Installed Programs ======================

    3ivx MPEG-4 5.0.3 (remove only)
    Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
    Adobe Flash Player 10 ActiveX
    Adobe Reader 8.1.2
    Adobe Reader 8.1.2 Security Update 1 (KB403742)
    Aiseesoft Mod Video Converter
    Amazon MP3 Downloader 1.0.3
    AOL Install
    Apple Mobile Device Support
    Apple Software Update
    ATI Catalyst Control Center
    ATI PCI Express (3GIO) Filter Driver
    Bonjour
    Broadcom Management Programs
    Browser Address Error Redirector
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center Localization Chinese Standard
    Catalyst Control Center Localization Chinese Traditional
    Catalyst Control Center Localization Danish
    Catalyst Control Center Localization Dutch
    Catalyst Control Center Localization Finnish
    Catalyst Control Center Localization French
    Catalyst Control Center Localization German
    Catalyst Control Center Localization Italian
    Catalyst Control Center Localization Japanese
    Catalyst Control Center Localization Korean
    Catalyst Control Center Localization Norwegian
    Catalyst Control Center Localization Portuguese
    Catalyst Control Center Localization Russian
    Catalyst Control Center Localization Spanish
    Catalyst Control Center Localization Swedish
    ccc-Branding
    ccc-core-static
    ccc-utility
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Norwegian
    CCC Help Portuguese
    CCC Help Russian
    CCC Help Spanish
    CCC Help Swedish
    Compatibility Pack for the 2007 Office system
    Conexant HDA D330 MDC V.92 Modem
    Cooliris for Internet Explorer
    Dell DataSafe Online
    Dell Support Center
    Dell System Customization Wizard
    Dell Touchpad
    Dell Wireless WLAN Card
    DellSupport
    Digital Line Detect
    EarthLink Setup Files
    ERUNT 1.1j
    FlipShare
    Games, Music, & Photos Launcher
    Google Desktop
    Google Toolbar for Internet Explorer
    HiJackThis
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Internet Service Offers Launcher
    iTunes
    Java(TM) SE Runtime Environment 6
    LiveUpdate 3.2 (Symantec Corporation)
    LiveUpdate Notice (Symantec Corporation)
    Malwarebytes' Anti-Malware
    McAfee SecurityCenter
    MediaDirect
    Microsoft .NET Framework 3.5 SP1
    Microsoft Office Live Meeting 2007
    Microsoft Office Professional Edition 2003
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Works
    Modem Diagnostic Tool
    Move Media Player
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    NetWaiting
    NetZeroInstallers
    OGA Notifier 2.0.0048.0
    OutlookAddinSetup
    Product Documentation Launcher
    QuickSet
    QuickTime
    Roxio Creator Audio
    Roxio Creator BDAV Plugin
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE
    Roxio Creator Tools
    Roxio Express Labeler
    Roxio MyDVD DE
    Roxio Update Manager
    Safari
    Skins
    Skype™ 3.8
    Sonic Activation Module
    Spybot - Search & Destroy
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    User's Guides
    WebPAM

    ==== Event Viewer Messages From Past Week ========

    4/1/2010 8:34:52 AM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    4/1/2010 8:03:38 AM, Error: Service Control Manager [7034] - The Dell Wireless WLAN Tray Service service terminated unexpectedly. It has done this 1 time(s).
    4/1/2010 8:03:38 AM, Error: Service Control Manager [7034] - The ATI WebPAM service terminated unexpectedly. It has done this 1 time(s).
    4/1/2010 8:03:01 AM, Error: Service Control Manager [7034] - The XAudioService service terminated unexpectedly. It has done this 1 time(s).

    ==== End Of File ===========================

  2. #12
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi Steve,

    Upload C:\ugldapow.sys file to http://www.virustotal.com and post back the results.


    Uninstall old Adobe Reader versions and get the latest one (9.3 + update 9.3.1) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.


    Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

    Updating Java:
    • Download the latest version of Java Runtime Environment (JRE) 6 Update 19.
    • Click the
      Download
      button to the right.
    • Select Windows on platform combobox and check the box that says:
      Accept License Agreement. Click continue.
    • The page will refresh.
    • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u19-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.




    Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

    Double-click ATF Cleaner.exe to open it

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    If you use Firefox:
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    If you use Opera:
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.


    Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


    Post back its report & a fresh dds.txt log.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  3. #13
    Junior Member
    Join Date
    Dec 2009
    Posts
    21

    Default

    I apologize for the delay in responding. I hope to have the requested scans in the next day or two.

  4. #14
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Ok. Thanks for the heads up
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  5. #15
    Junior Member
    Join Date
    Dec 2009
    Posts
    21

    Default

    Here is the info you requested. Machine is still running very slowly and claims I am not logged in as Administrator even though I am.

    Thank you, again, for your help.

    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
    Antivirus Version Last Update Result
    a-squared 4.5.0.50 2010.04.12 -
    AhnLab-V3 5.0.0.2 2010.04.10 -
    AntiVir 7.10.6.62 2010.04.12 -
    Antiy-AVL 2.0.3.7 2010.04.12 -
    Authentium 5.2.0.5 2010.04.12 -
    Avast 4.8.1351.0 2010.04.12 -
    Avast5 5.0.332.0 2010.04.12 -
    AVG 9.0.0.787 2010.04.12 -
    BitDefender 7.2 2010.04.12 -
    CAT-QuickHeal 10.00 2010.04.12 -
    ClamAV 0.96.0.3-git 2010.04.12 -
    Comodo 4577 2010.04.12 -
    DrWeb 5.0.2.03300 2010.04.12 -
    eSafe 7.0.17.0 2010.04.11 -
    eTrust-Vet 35.2.7420 2010.04.12 -
    F-Prot 4.5.1.85 2010.04.12 -
    F-Secure 9.0.15370.0 2010.04.12 -
    Fortinet 4.0.14.0 2010.04.12 -
    GData 19 2010.04.12 -
    Ikarus T3.1.1.80.0 2010.04.12 -
    Jiangmin 13.0.900 2010.04.12 -
    Kaspersky 7.0.0.125 2010.04.12 -
    McAfee-GW-Edition 6.8.5 2010.04.12 -
    Microsoft 1.5605 2010.04.12 -
    NOD32 5021 2010.04.12 -
    Norman 6.04.11 2010.04.12 -
    nProtect 2009.1.8.0 2010.04.06 -
    Panda 10.0.2.2 2010.04.11 -
    PCTools 7.0.3.5 2010.04.12 -
    Prevx 3.0 2010.04.12 -
    Rising 22.43.00.04 2010.04.12 -
    Sophos 4.52.0 2010.04.12 -
    Sunbelt 6166 2010.04.12 -
    Symantec 20091.2.0.41 2010.04.12 -
    TheHacker 6.5.2.0.259 2010.04.12 -
    TrendMicro 9.120.0.1004 2010.04.12 -
    VBA32 3.12.12.4 2010.04.09 -
    ViRobot 2010.4.12.2272 2010.04.12 -
    VirusBuster 5.0.27.0 2010.04.12 -
    Additional information
    File size: 93056 bytes
    MD5...: 54754317755d9e6a635d4f77483c6192
    SHA1..: cfbfe041eb2a62ec64072cf8ccf5f2509068d4f6
    SHA256: 876cf88b59424dc3273eb499916cf2a45cff48451c07b7930f5a44bcafd409b0
    ssdeep: 1536:jLesFbh9KZibUCGQM4Ox5NqNgy+b93OWi/SNKchwW:feMHKZ9CGQvS5NnyE
    eWi/SNFn

    PEiD..: -
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x14405
    timedatestamp.....: 0x4b274f8d (Tue Dec 15 08:57:49 2009)
    machinetype.......: 0x14c (I386)

    ( 6 sections )
    name viradd virsiz rawdsiz ntrpy md5
    .text 0x480 0xd33c 0xd380 6.46 369881577d8a8e40662355b9a6a8f116
    .rdata 0xd800 0x2954 0x2980 5.35 dab9288e45742bb2bb1371bbcae4edd9
    .data 0x10180 0x4264 0x4280 0.33 3bd12180ea94dd764b9a94c27f1dbc98
    INIT 0x14400 0x9fa 0xa00 5.59 b1437a6ac450e829cb8d3ade6642fbba
    .rsrc 0x14e00 0x370 0x380 3.35 17802f95cc137d158e938e83ff42c7d8
    .reloc 0x15180 0x19e4 0x1a00 6.44 ca9254ea63db79e98be17c626bee088c

    ( 2 imports )
    > ntoskrnl.exe: ExFreePoolWithTag, ExAllocatePoolWithTag, ZwReadFile, ZwQueryInformationFile, ZwOpenFile, _except_handler3, KeQuerySystemTime, PsLookupProcessByProcessId, ObfDereferenceObject, ObReferenceObjectByHandle, KeDetachProcess, KeAttachProcess, MmIsAddressValid, ZwSetInformationFile, RtlInitUnicodeString, ObOpenObjectByPointer, IofCompleteRequest, IoDeleteDevice, IoDeleteSymbolicLink, RtlUnicodeStringToAnsiString, PsTerminateSystemThread, PsCreateSystemThread, KeInitializeEvent, wcsstr, IoCreateSymbolicLink, IoCreateDevice, PsGetVersion, strrchr, KeBugCheckEx, IoFreeIrp, KeGetCurrentThread, _wcsnicmp, IoAllocateIrp, IoGetBaseFileSystemDeviceObject, ZwWriteFile, ZwCreateFile, strncmp, IoGetCurrentProcess, strncpy, _vsnprintf, PsGetCurrentProcessId, _snprintf, RtlTimeToTimeFields, ExSystemTimeToLocalTime, _stricmp, ZwQuerySystemInformation, _strnicmp, RtlCopyUnicodeString, ZwQueryValueKey, ZwOpenKey, ZwClose, _snwprintf, IoFreeMdl, MmUnlockPages, MmProbeAndLockPages, IoAllocateMdl, wcslen, ZwEnumerateKey, PsLookupThreadByThreadId, RtlAnsiStringToUnicodeString, RtlInitAnsiString, _strupr, _strlwr, KeDelayExecutionThread, RtlVolumeDeviceToDosName, ObfReferenceObject, IoGetDeviceObjectPointer, wcschr, wcsncmp, KeInsertQueueDpc, KeSetTargetProcessorDpc, KeInitializeDpc, KeNumberProcessors, KeServiceDescriptorTable, MmMapLockedPagesSpecifyCache, _wcsicmp, wcsrchr, strchr, strstr, wcsncpy, IoCreateNotificationEvent, ZwQuerySection, wcscpy, RtlInitString, ZwRequestWaitReplyPort, ZwConnectPort, MmMapLockedPages, MmGetSystemRoutineAddress, ObReferenceObjectByName, IoDriverObjectType, ZwDeleteFile, KeTickCount, NtClose, IofCallDriver, RtlCompareUnicodeString, IoBuildSynchronousFsdRequest, _alldiv, KeSetEvent, KeWaitForSingleObject, ZwSetValueKey, KeClearEvent
    > HAL.dll: KfLowerIrql, KeGetCurrentIrql, KfRaiseIrql

    ( 0 exports )

    RDS...: NSRL Reference Data Set
    -
    pdfid.: -
    sigcheck:
    publisher....: GMER
    copyright....: Copyright (C) GMER 2003-2009
    product......: GMER
    description..: GMER Driver http://www.gmer.net
    original name: gmer.sys
    internal name: gmer.sys
    file version.: 1, 0, 15, 4809 built by: WinDDK
    comments.....: n/a
    signers......: -
    signing date.: -
    verified.....: Unsigned

    trid..: Win32 Executable Generic (51.1%)
    Win16/32 Executable Delphi generic (12.4%)
    Clipper DOS Executable (12.1%)
    Generic Win/DOS Executable (12.0%)
    DOS Executable Generic (12.0%)
    packers (Kaspersky): PE_Patch
    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0: scan report
    Tuesday, April 13, 2010
    Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 2 (build 6002)
    Kaspersky Online Scanner version: 7.0.26.13
    Last database update: Tuesday, April 13, 2010 08:08:41
    Records in database: 3938991
    --------------------------------------------------------------------------------

    Scan settings:
    scan using the following database: extended
    Scan archives: yes
    Scan e-mail databases: yes

    Scan area - My Computer:
    C:\
    D:\
    E:\

    Scan statistics:
    Objects scanned: 136006
    Threats found: 1
    Infected objects found: 0
    Suspicious objects found: 2
    Scan duration: 03:40:58


    File name / Threat / Threats count
    C:\ProgramData\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch154.zip Suspicious: Password-protected-EXE 1
    C:\Users\All Users\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch154.zip Suspicious: Password-protected-EXE 1

    Selected area has been scanned.


    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>


    DDS (Ver_09-12-01.01) - NTFSx86
    Run by Lucia at 16:20:19.09 on Tue 04/13/2010
    Internet Explorer: 8.0.6001.18882
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.893.361 [GMT -4:00]

    SP: Spybot - Search and Destroy *enabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
    SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\system32\Ati2evxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\Ati2evxx.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\servicing\TrustedInstaller.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\WLTRYSVC.EXE
    C:\Windows\System32\bcmwltry.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\aestsrv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\ATI\WebPAM\jetty\extra\win32\Wrapper.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe
    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Program Files\ATI\WebPAM\_jvm\bin\java.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    C:\Windows\system32\STacSV.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\DRIVERS\xaudio.exe
    C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\System32\alg.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\taskeng.exe
    c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
    C:\Windows\system32\taskeng.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\DellTPad\Apoint.exe
    C:\Windows\System32\WLTRAY.EXE
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Dell\MediaDirect\PCMService.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\DellSupport\DSAgnt.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\DellTPad\ApMsgFwd.exe
    C:\Program Files\DellTPad\HidFind.exe
    C:\Program Files\DellTPad\Apntex.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe
    C:\PROGRA~1\Java\jre6\bin\jp2launcher.exe
    C:\Program Files\Java\jre6\bin\java.exe
    C:\Users\Lucia\AppData\Local\Temp\jkos-Lucia\binaries\ScanningProcess.exe
    C:\Users\Lucia\AppData\Local\Temp\jkos-Lucia\binaries\ScanningProcess.exe
    C:\Windows\system32\taskeng.exe
    C:\Users\Lucia\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.yahoomail.com/
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Cooliris Plug-In for Internet Explorer: {eaee5c74-6d0d-4aca-9232-0da4a7b866ba} - c:\program files\piclensie\cooliris.dll
    TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
    uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
    mRun: [Apoint] c:\program files\delltpad\Apoint.exe
    mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
    mRun: [dscactivate] c:\dell\dsca.exe 3
    mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
    mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
    mRun: [ALUAlert] c:\program files\symantec\liveupdate\ALuNotify.exe
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
    IE: {3437D640-C91A-458f-89F5-B9095EA4C28B} - {04F93351-81D2-4484-9982-0D55DEFFFAE6} - c:\program files\piclensie\cooliris.dll
    IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} - hxxp://zone.msn.com/bingame/zpagames/zpa_hrtz.cab99160.cab
    DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
    DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    AppInit_DLLs: c:\progra~1\google\google~2\GoogleDesktopNetwork3.dll

    ============= SERVICES / DRIVERS ===============

    R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-1-19 214664]
    R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2007-10-25 73728]
    R2 ATIWebPAM;ATI WebPAM;c:\program files\ati\webpam\jetty\extra\win32\Wrapper.exe [2003-9-29 110592]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-1-19 79816]
    R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-1-19 35272]
    S2 0021691270049693mcinstcleanup;McAfee Application Installer Cleanup (0021691270049693);c:\windows\temp\002169~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\002169~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
    S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-10-13 21504]
    S3 GoogleDesktopManager-093009-130223;Google Desktop Manager 5.9.909.30391;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-10-25 30192]
    S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-1-19 34248]
    S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-1-19 40552]

    =============== Created Last 30 ================

    2010-04-12 16:29:33 0 d-----w- c:\programdata\Sun
    2010-04-12 16:27:23 411368 ----a-w- c:\windows\system32\deploytk.dll
    2010-04-12 15:37:08 0 d-----w- c:\programdata\NOS
    2010-04-01 12:44:38 0 d-sh--w- C:\$RECYCLE.BIN
    2010-04-01 12:02:15 98816 ----a-w- c:\windows\sed.exe
    2010-04-01 12:02:15 77312 ----a-w- c:\windows\MBR.exe
    2010-04-01 12:02:15 261632 ----a-w- c:\windows\PEV.exe
    2010-04-01 12:02:15 161792 ----a-w- c:\windows\SWREG.exe
    2010-04-01 12:02:06 0 d-----w- C:\ComboFix
    2010-03-25 12:45:16 0 d-----w- c:\program files\Windows Portable Devices
    2010-03-25 12:44:37 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
    2010-03-25 12:34:24 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
    2010-03-25 12:32:58 4096 ----a-w- c:\windows\system32\oleaccrc.dll
    2010-03-25 12:32:58 234496 ----a-w- c:\windows\system32\oleacc.dll
    2010-03-25 12:32:57 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
    2010-03-24 23:12:43 1696256 ----a-w- c:\windows\system32\gameux.dll
    2010-03-24 23:12:41 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
    2010-03-24 23:12:41 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2010-03-22 03:20:12 0 d-----w- c:\windows\system32\eu-ES
    2010-03-22 03:20:12 0 d-----w- c:\windows\system32\ca-ES
    2010-03-22 03:20:11 0 d-----w- c:\windows\system32\vi-VN
    2010-03-17 03:26:26 24064 ----a-w- c:\windows\system32\nshhttp.dll
    2010-03-17 03:26:16 411648 ----a-w- c:\windows\system32\drivers\http.sys
    2010-03-17 03:26:15 30720 ----a-w- c:\windows\system32\httpapi.dll
    2010-03-15 21:55:39 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-03-15 21:55:38 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe

    ==================== Find3M ====================

    2010-03-25 12:45:12 665600 ----a-w- c:\windows\inf\drvindex.dat
    2010-03-25 12:45:12 51200 ----a-w- c:\windows\inf\infpub.dat
    2010-03-25 12:45:11 86016 ----a-w- c:\windows\inf\infstor.dat
    2010-03-25 12:45:10 143360 ----a-w- c:\windows\inf\infstrng.dat
    2010-03-22 03:04:18 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
    2010-02-24 14:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
    2010-02-03 21:18:41 93056 ----a-w- C:\ugldapow.sys
    2010-01-25 12:00:35 471552 ----a-w- c:\windows\system32\secproc_isv.dll
    2010-01-25 12:00:35 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
    2010-01-25 12:00:35 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
    2010-01-25 12:00:22 471552 ----a-w- c:\windows\system32\secproc.dll
    2010-01-25 11:58:52 332288 ----a-w- c:\windows\system32\msdrm.dll
    2010-01-25 08:21:20 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
    2010-01-25 08:21:20 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
    2010-01-25 08:21:18 518144 ----a-w- c:\windows\system32\RMActivate.exe
    2010-01-25 08:21:18 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
    2010-01-23 09:26:13 2048 ----a-w- c:\windows\system32\tzres.dll
    2008-11-01 16:54:40 174 --sha-w- c:\program files\desktop.ini
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
    2007-10-25 13:53:01 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

    ============= FINISH: 16:23:14.12 ===============


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-12-01.01)

    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume3
    Install Date: 10/25/2007 2:01:47 AM
    System Uptime: 4/13/2010 11:26:09 AM (5 hours ago)

    Motherboard: Dell Inc. | | 0UK441
    Processor: AMD Athlon(tm) 64 X2 Dual-Core Processor TK-55 | Microprocessor | 1800/100mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 99 GiB total, 57.749 GiB free.
    D: is FIXED (NTFS) - 10 GiB total, 5.908 GiB free.
    E: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================


    ==== Installed Programs ======================

    3ivx MPEG-4 5.0.3 (remove only)
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Reader 9.3.1
    Aiseesoft Mod Video Converter
    Amazon MP3 Downloader 1.0.3
    AOL Install
    Apple Mobile Device Support
    Apple Software Update
    ATI Catalyst Control Center
    ATI PCI Express (3GIO) Filter Driver
    Bonjour
    Broadcom Management Programs
    Browser Address Error Redirector
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center Localization Chinese Standard
    Catalyst Control Center Localization Chinese Traditional
    Catalyst Control Center Localization Danish
    Catalyst Control Center Localization Dutch
    Catalyst Control Center Localization Finnish
    Catalyst Control Center Localization French
    Catalyst Control Center Localization German
    Catalyst Control Center Localization Italian
    Catalyst Control Center Localization Japanese
    Catalyst Control Center Localization Korean
    Catalyst Control Center Localization Norwegian
    Catalyst Control Center Localization Portuguese
    Catalyst Control Center Localization Russian
    Catalyst Control Center Localization Spanish
    Catalyst Control Center Localization Swedish
    ccc-Branding
    ccc-core-static
    ccc-utility
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Norwegian
    CCC Help Portuguese
    CCC Help Russian
    CCC Help Spanish
    CCC Help Swedish
    Compatibility Pack for the 2007 Office system
    Conexant HDA D330 MDC V.92 Modem
    Cooliris for Internet Explorer
    Dell DataSafe Online
    Dell Support Center
    Dell System Customization Wizard
    Dell Touchpad
    Dell Wireless WLAN Card
    DellSupport
    Digital Line Detect
    EarthLink Setup Files
    ERUNT 1.1j
    FlipShare
    Games, Music, & Photos Launcher
    Google Desktop
    Google Toolbar for Internet Explorer
    HiJackThis
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Internet Service Offers Launcher
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 19
    LiveUpdate 3.2 (Symantec Corporation)
    LiveUpdate Notice (Symantec Corporation)
    Malwarebytes' Anti-Malware
    McAfee SecurityCenter
    MediaDirect
    Microsoft .NET Framework 3.5 SP1
    Microsoft Office Live Meeting 2007
    Microsoft Office Professional Edition 2003
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Works
    Modem Diagnostic Tool
    Move Media Player
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    NetWaiting
    NetZeroInstallers
    OGA Notifier 2.0.0048.0
    OutlookAddinSetup
    Product Documentation Launcher
    QuickSet
    QuickTime
    Roxio Creator Audio
    Roxio Creator BDAV Plugin
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE
    Roxio Creator Tools
    Roxio Express Labeler
    Roxio MyDVD DE
    Roxio Update Manager
    Safari
    Skins
    Skype™ 3.8
    Sonic Activation Module
    Spybot - Search & Destroy
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    User's Guides
    WebPAM

    ==== End Of File ===========================

  6. #16
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Remove Norton remnants with this tool. After that defrag your hard drive(s).

    Try to run GMER in normal mode by unselecting "files" checkbox in its options.

    Are you able to update Spybot and Windows Defender? How about running MBAM in normal mode (after updating it first), is that possible?
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  7. #17
    Junior Member
    Join Date
    Dec 2009
    Posts
    21

    Default

    OK. Ran the Norton removal tool and defraged my hard drive.

    Was unable to successfully run GMER in normal mode (even when unselecting "files" checkbox). It keeps rebooting the machine or simply closing. I don't know if this is relevant, but during one try, I notice that it hung up when scanning a file called mfehidk.sys within the FileSystem\fastfat\fat directory.

    I was successful in updating and running Spybot, Windows Defender and MBAM in normal mode and none showed any infections or other problems.

    Overall, the machine is still very slow and somewhat buggy (the GMER problem is one example). At this point do you feel it's worth taking further action or should I simply rebuild the hard drive?

    Thanks, as always, for your patience and helpful expertise.

    Steve

  8. #18
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    GMER crashing is probably caused by protection software still being more or less active. That mfehidk.sys file belongs to McAfee.

    Did you have "Show All" box unchecked in GMER options too? If not then you could try GMER run by having both that and "files" checkbox unchecked and McAfee turned off.

    If that doesn't work then backuping important files and reformating may not be that bad idea taking into account that no malware has been detected by any of the scanners used.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  9. #19
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Due to inactivity, this thread will now be closed.

    Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

    If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •